(Updates may not be available yet for download. They should be available to everyone before the end of the day)

Apple today released a security update for it’s most recent three OS X systems, iOS 8.2 and Apple TV 7.1 which also includes security fixes.

For OS X 10.8.5 Mountain Lion, 10.9.5 Mavericks and 10.10.2 Yosemite users the update “Security Update 2015-002″ is available and (depending on the version of OS X you use) contains security fixes for iCloud Keychain, the Kernel and Secure Transport. The Secure Transport patch addresses the recently discovered FREAK vulnerability.

iOS 8.2 is available for iPhone 4S and later and addresses vulnerabilities in SMS Messaging, iCloud Keychain and Secure Transport.

Apple TV 7.1 update also addresses the FREAK vulnerability.

All users are recommended to install the security update on Mac and iOS update on applicable devices. Mac users can use their usual Software Update methods, iOS users can update through iTunes or by going to Settings > General > Software Update. Back up your Mac or iDevice before installing updates just as a precaution.

Java is now bundled with an Ask.com toolbar. The web is blowing up about it. “Beware”, “Adware”, “shady”, “Sneaking” and other terms are used. Is this just a hype or is there something to these claims? Let’s find out.

I set up a brand new Virtual Machine, installed all the latest updates, the latest browsers, the latest versions of Flash Player and Little Snitch. I downloaded the latest version of Java directly from it’s source; oracle.com. When the download is selected it leads to the Java.com website (https://www.java.com/en/download/). The latest version at the time is Version 8 Update 40.

Adware is free software sponsored by ads. Toolbars are usually a form of adware. I use free software that is sponsored by ads on my Mac and my iPhone, nothing wrong with adware. When Adware starts to act like spyware and injecting ads in places it should not be, then there’s a problem.

I ran the Java installer and found clear mention of the Ask.com toolbar with two options:
– Set Ask as my default search provider
– Set Ask.com as my browser home page and new tabs page

If these boxes are unchecked, you guessed it, just Java is installed. But let’s behave like the typical user and click “Next” as fast as we can, completely ignoring all the information the installer provides.

The toolbar is installed in Safari and both the default search and home pages are changed to ask.com. Firefox users (as we should all be imo) get a warning stating a 3rd party is attempting to modify Firefox. You must allow it to be activated. If you do not allow this, the add-on will be installed but de-activated by Firefox. It does however change your default home page and search engine.

Here is what I’ve found:
– If you READ the installer information this toolbar will never make it on to your system.
– If you did manage to just click “Next” and get the toolbar installed, Firefox warns you about it and you must provide additional approval to activate the toolbar. Safari users are stuck with the toolbar immediately.
– Your new Ask.com homepage clearly shows links to how you can reset your homepage or remove the toolbar. They do not try to hide it.
– The toolbar does not inject ads anywhere they should not be.
– There are no additional processes running because of the toolbar.
– No dubious server connections are made by the toolbar.
– Tt takes 10 seconds to reset your home page, search engine and uninstall the toolbar in Safari.
– It takes 19 seconds to reset your home page, search engine and remove the toolbar from Firefox.
– It takes a minute to delete the few files left in the Library folder.

So, is it the worth the hype? Absolutely not. Clickbait mostly in my opinion.

Oracle did not do anything “shady”. Oracle did not “sneak” this toolbar in there. Does Ask.com suck as a search service? Absolutely. Is it annoying to have to reset and uninstall the Ask.com materials after you failed to properly read an installer? Sure, but that’s on you. Is there data theft, ad injection, horrible unspeakable things happening? No. As with all installers, read the information that’s provided. Don’t brainlessly click things you shouldn’t be clicking and you can avoid most of this stuff.

For the past few days I’ve been keeping an eye on reports stating an old Mac trojan, OpinionSpy, is back. Intego has indeed confirmed the old trojan has found it’s way back to the Mac platform. This time through downloads from download.cnet.com. The application “Free Video Cutter Joiner” will install additional contents if you allow it to. With most people just clicking through installers as fast as they can to get to the good stuff, additional content like this can easily be overlooked.

I have obtained all the samples associated with the above mentioned file and a few others, they will be included in the antivirus test during the next update. In the mean time, watch out for any content from cnet.com and download.com and the following names:
– Free Video Cutter Joiner
– Free MP3 Cutter Joiner
– Audio Converter Mac
– Video Converter Mac
– PremierOpinion
– DVDVideoMedia
See any of these names in a file or website, stay clear for now.

If you use Little Snitch, and you should, look out for any connection attempts to:
– securestudies.com
– premieropinion.com
or any of their subdomains.

An updated Flash Player, version 16.0.0.305, is now available for download on the Adobe website. This version patches the zero-day exploit I mentioned a few days ago. All users that have Flash Player installed should update asap. If you had previously disabled Flash Player just reverse the instruction I gave in the previously mentioned article.

For now users that have Flash Player installed appear to be safe once again. That is until the next vulnerabilities are found which won’t take too long. If you do not absolutely need Flash Player on your system, consider removing it completely. You’ll be much safer out there.

It appears Apple has quietly released an updated tool in the fight against fake Flash Player installers. Two updates showed up today:Flashback Removal Security Update 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware.” This update also disables the Java plug-in in Safari.Flashback malware removal tool 1.0, released 02/02/2015 5:09 PM – “This update removes the most common variants of the Flashback malware. This update contains the same malware removal tool as Java for OS X 2012-003. This update is recommended for all Mac users who do not have Java installed”

While both updates appear to do the same thing judging from their descriptions, a look at the installer shows the differences.

Flashback malware removal tool 1.0 installs the actual Flashback malware hunter, an agent called “MRTAgent.app” in System/Library/CoreServices. The app does not appear to activate until the next restart. At that point two files in /System/Library/LaunchAgents (com.apple.mrt.uiagent.plist) and System/Library/LaunchDeamons (com.apple.mrt.plist) will activate the app and take care of the Flashback ma
Flashback Removal Security Update 1.0 installs the MRTgent app and related files but also an app that disables Java called “JavaDisabler.app” in System/Library/CoreServices. An additional file is added to the System LaunchAgents folder “com.apple.javadisabler.plist”.

The descriptions and links on both updates point to older support pages, no mention is made anywhere that I could find about updated signatures or other changes. The documentation for the removal tool points to this page which was last updated on November 8, 2014. The documentation for the Security Update points to this page which was updated last around the same time as the other page, November 19, 2014.

Until someone digs around in these installers to see what’s new it’s unknown which variants specifically are targeted. It may be the recently discovered OSX.IronCore.A, Apple had already updated their XProtect with the signature in December. The fact that the update references the “Java for OS X 2012-003″ update that was released in 2012 is a bit confusing. Though I was able to see and download the updates using Software Update Server, none of the Macs on my network appear to be interested in the updates. If you do see these updates appear in your App Store, it’s a good idea to install them. If I find out more details about these updates I’ll post a follow-up.

Adobe released a security advisory today. Flash Player versions 16.0.0.296 (current version) and earlier are vulnerable to an exploit that can cause a crash which allows an attacker to take control of the affected system. This vulnerability is already being exploited in the wild and no patch is available at this time.

We recommend disabling Flash Player until this issues has been patched. Here’s how to do this:Safari: Open the Safari Preferences and go to the “Security” tab. At the bottom where it says “Internet Plug-ins” click the button “Website Settings”. Click on the “Adobe Flash Player” plug-in and you’ll see a list of allowed websites. If any websites show in this list, click on them once and then remove them by using the “-” button. Set the setting “When visiting other websites:” to “Block”.Firefox: From the menu bar, Tools menu, select “Add-ons”. Click on the Plugins tab in the left column and set “Shockwave Flash” to “Never Activate” (This should be set to “Ask to Activate” by default for enhanced security on any other day).

The best way is to completely uninstall Flash from your system. I have not had Flash installed for a long time and rarely run in to any websites that require it. To remove Flash from your system download the uninstaller here.

Adobe expects to patch this issue later this week but no timeframe was provided.

Today Apple released the second update to the latest OS X, 10.10.2.
While the detailed list of security fixes in this update has not yet been released we know from other sources that Apple fixed the Thunderstrike exploit, briefly mentioned in my last post, and three of the vulnerabilities reported by Google last week. Also resolved is an issue where Spotlight would load remote email contents even if Mail itself had this disabled. Some of the other fixes in this release address poor Wi-Fi performance, slow loading webpages, the ability to browse iCloud Drive in Time Machine and Safari stability and security improvements.

Separate Safari updates were released for 10.8 Mountain Lion and 10.9 Mavericks users. Both updates address stability and security. Mountain Lion users will see their version of Safari updated to 6.2.3 and Mavericks users to 7.1.3. Four WebKit issues were addressed in these updates. Safari 8.0.3 for Yosemite users is included in the OS X 10.10.2 update.

Also released was Security Update 2015-001 which “is recommended for all users and improves the security of OS X.” The update is available for 10.9.5 Mavericks users and is included in the OS X 10.10.2 update for Yosemite users. Issues addressed are AFP file sharing, bluetooth, network cache, CoreGraphics and other vulnerabilities. It’s quite a list which can be found here.

It is recommended to update your backups before installing these (or any) updates. In the case of a second OS X release I personally like to download and apply the combo update, this typically has resolved more of the ‘new OS’ bugs than simply running the single version update. At the time of writing the combo update and the above mentioned updates are not available for direct download. Keep an eye on the Apple downloads page where the combo update should pop up soon.

Happy new year everyone and thank you for your support, tips, samples and more over the past year.

I haven’t forgotten about this blog and I still keep my eye on any potential threats that require awareness. The past few months have just been very uneventful when it comes to Mac security. One issue I jumped on immediately was the recent NTP vulnerability but as I was writing the article I realized Apple pushed out this update to all supported Macs. With all clients being updated automatically I felt a post about the issue had little value. Flash player updates have been coming out at a fairly steady pace, every reader should know by now to update as soon as the system prompts for it so these updates also required no posting from my end.

Malware has not been an issue recently so there have been no AV test updates since October. Updating these tests every time a new piece of Adware is found would keep me busy full time so I wasn’t going to do that either. I also have been stretched very thin working on a lot of other projects that have been taking up almost all of my time. I would have made the time to report on anything significant but there have not been significant things to report on. One of the potentially big things I have been keeping my eye on since December is Thunderstrike. Currently still a proof of concept (PoC) but definitely something Apple needs to act on fast. Basically someone found a way to infect a Mac at the firmware level using a modified thunderbolt accessory. Once infected you can reinstall, replace the hard drive, install antivirus and other tools… it won’t help. The Mac belongs to the attacker as it controls the firmware and the firmware loads before anything else. More information can be found here and the original presentation can be found here (YouTube link). Other projects involving the exploiting of graphics cards (GPU’s) is something I also keep track of but not much has happened recently in that arena. Hacks of sites and services, exploits of certain software etc etc. I’m monitoring it all so I can report on it and let you know ASAP if relevant.

This post is to break the silence and to let you all know I’m still around, keeping my eyes and ears open every day and as soon as something post-worthy comes along you’ll definitely see an article

I saw an interesting video today which talks about the kinds of OS X malware and the ways they can persist. Now when it comes to ways that OS X malware can keep itself alive even after a reboot there is nothing new in this video, however the tool that was created by the author Patrick Wardle is pretty cool. Basically it checks all the locations and ways malware is known to be persistent. The known LaunchDeamons and LaunchAgents, browser plugins/extensions and Login Items are all checked but it goes a little deeper than that. Code is also checked, like plist files’ use of “RunAtLoad” or “KeepAlive” which could indicate persistent malware.

The tool is currently in Beta and command line only but worth checking out if you want to learn more about what goes on under the OS X hood. Or maybe you suspect a malware infection and your antivirus product is coming up dry. If you know me you know my opinion of OS X’s built-in anti malware tools X-Protect and Gatekeeper; They are fairly useless. Antivirus applications perform much better and have a much better chance at offering you protection but again, these products are (just like X-Protect) reactive. Based on signatures, hashes, location data and file names they almost always offer protection after the fact. True heuristics is very hard to find in OS X products which is sad because that may offer the best possible protection as it is proactive, not reactive. The Knock Knock tool can be easily extended with new plugins. If a new way of persistence is discovered, a simple python plugin can be written and added to the Knock Knock functionality.

I ran the tool on my Mac and found nothing that shouldn’t be there. When I ran the tool on an infected Mac however, it was able to point out a huge amount of malware. VSearch, Genieo, iWorm, CoinThief, CodecM, Revir, a ton of browser plugins, a keylogger and much more were found to be persistent in one way or another. Over 50 total. Now of course this tool is not an antivirus application. It doesn’t monitor your Mac constantly and it doesn’t tell you “this file belongs to this malware” but I like the functionality it offers. You’ll need to know a bit about OS X, which file belongs and which doesn’t. What is a possible threat and needs further investigating and what is harmless. However for those that want to learn more about their Mac’s internals, think they are infected with malware or research malware, this is a nice tool to add to the collection. If the developer keeps working on this tool, possibly give it a GUI and make it run on a Mac all the time, this would be a great way to keep an eye on your system.

You may have been amongst the first to upgrade your Mac to OS X 10.10 Yosemite or you may be one of the people that prefers to wait a bit. Here are a few tips to ensure the upgrade goes smooth when the time comes.

As with OS X Mavericks, the requirements cover a broad range of Macs and as with OS X Mavericks, it is not a good idea to install the system on a Mac that meets the bare minimum requirements. Here is my recommended minimum requirements list:
• iMac (Early 2009 or newer)
• MacBook (Late 2008 Aluminum, or Early 2009 or newer) (if you must)
• MacBook Pro (Early 2009 or newer)
• MacBook Air (13-Inch, Late 2010 or newer)
• Mac mini (Early 2009 or newer)
• Mac Pro (Early 2009 or newer)
– OS X 10.9.5 Mavericks.
– 4 GB of Memory, 8 GB preferred.
– 20 GB of available storage.
– A graphics card that has 512 MB of memory or more preferred.

This list is based on my experience over the years. After a new OS is released I see people every day that upgraded and have issues immediately. More often than not this is because their previous system was already experiencing issues. Cluttered drive, upgrades on top of upgrades, no maintenance etc. These can all cause issues. Upgrading from an older OS, skipping one or more versions and going straight to the latest often causes issues as well. Something I also hear a lot is “but I meet the minimum system requirements, why is it so slow?”.

Minimum system requirements tell you what is needed to run the OS, just the OS. The way these requirements are often understood is; I have 2 GB of memory so I can run the latest system ánd any application I want. With only 2 GB of memory the Mac will load the OS, start up and present you with your desktop and files but by that time it will already have consumed most of that 2 GB. If you then try to run iPhoto, iTunes, Safari, Spotify or any other application on top of that, you’ll be out of memory in a matter of minutes. Since OS X Mavericks the memory (RAM) management has really improved so people can do more with less but there are limits. Look at your system now and your most used applications to figure out what your ideal setup should look like. For example a user on average uses these applications:
– iTunes
– iPhoto
– Safari
– Microsoft Office
– Mail
This is just basic use of a Mac. Lets see what each of these applications require.
– iTunes (500 MB of RAM)
– iPhoto (4 GB of RAM recommended)
– Safari (1 GB of RAM recommended depending on use)
– Microsoft Office (1 GB of RAM recommended)
– Mail (200 MB of RAM)
Talking about Photoshop or other photo/video editing applications?
– Photoshop (1 GB of RAM for CS 6, 2 GB but 8 GB recommended for CC)
– Aperture (4 GB of RAM recommended)
– iMovie (2 GB of RAM, 4 GB recommended)

These applications require this amount of memory on top of what the OS needs to run. As you can tell, 2 GB of RAM is not enough to do anything smoothly. If the minimum requirements for something is X GB, double it to make sure it runs smooth. The average system needs 4 GB to run smoothly most of the day but these days 8 GB is definitely recommended.

2. Compatibility.
Once you are sure your Mac can handle the new system it’s time to check all your applications. Is all the software you have and use compatible with the new OS? Check manufacturer websites to see if you need updates or maybe even completely new versions. User forums for products can help too. If a lot of people on the Apple or Adobe forums are complaining about compatibility issues, you may want to hold off.

3. Be prepared to start fresh
If you are planning to upgrade a system that is running 10.6 or 10.7, I recommend starting fresh. Meaning a clean install of the system. While upgrades like this that skip one or two OS versions can result in a perfect smooth running machine, this is mostly not the case. Again, speaking from experience. If your system is currently experiencing issues (regardless of the OS version you have installed) like slow performance, freezing, spinning beachball or applications unexpectedly quitting do not upgrade. An upgrade is not a magical fix, it will almost certainly make the issue worse. Instead resolve the problem first and then upgrade. Depending on the issue a clean install may be the best solution.
4. Backup and Clone
Upgrading to a whole new OS is a very invasive undertaking. In case something goes wrong (see point 3 but even if your system is fine, stuff can still go wrong) you want a backup to restore from. You should already have some kind of backup strategy in place like Time Machine backups but in cases like these it’s a good idea to have a clone of your system as well. A clone is a 1:1 copy of your hard drive contents and will allow you to boot up from it or restore the entire system. If you upgrade to Yosemity and find out you hate it, have too many incompatible applications or it just doesn’t run well on your older machine, just start up from the clone drive and clone the whole thing back to your Mac. Once the clone is done and you restart it’ll be like nothing ever happened.

SuperDuper is my preferred cloning tool and I recommend using an external hard drive that supports FireWire 800, USB 3.0 and/or eSATA for best performance. USB 2.0 and FireWire 400 will work but both the cloning and booting from it, if needed, will be painfully slow. Keep running your Time Machine backups as usual too of course.

5. Remember your passwords
After installing the new system you will be asked for your Apple ID so that features like iCloud and Messages can be enabled so make sure you know the login details before you upgrade. You can set up your iCloud and Messages later on but entering these details during the installation will make for a smoother experience when it’s done.

6. Duplicate important documents
Once you upgrade and start working on a document in a new version of Numbers, just to name one, you can not open that document in older versions anymore. This is the case for a lot of software. With a new OS usually come big application updates or upgrades as well. If you have important documents that you still need to be able to work on even if you decide to downgrade back to your previous system later on (with that clone I mentioned), make a copy and work on that instead. If you open/edit the original file you may not be able to use it anymore if you downgrade your system.

Having a backup (clone preferred) will ensure you can go back to the current state of your system and is therefor the most important step when it comes to any upgrade.

I have enjoyed the new look and features so far and have yet to find any bugs or issues.